Professional Documents
Culture Documents
COMPTIA
WINDOW
LINUX
CISCO
CAREERS
Search...
You are here: Home // Cisco // CCNA Study Guide 640 - 802 // Network Security access lists standards and extended // How to configure extended access list on
router
cisco.com
Free Trial - Protect Your Business Network w/ Cisco Security Solutions
In this article we will configure Extended access list. If you want to read the feature and characteristic of access list reads this
previous article.
In this article we will use a RIP running topology. Which we created in RIP routing practical.
Easily create high-quality PDFs from your web pages - get a business license!
Cisco Networking
Computer Router
Computer Network
Main command
access-listnumber
permit
deny
Identifies the list using a number in the ranges of 100199 or 2000 2699.
Easily create high-quality PDFs from your web pages - get a business license!
protocol
source and
destination
sourcewildcard
and
destinationwildcard
The operator can be lt (less than), gt (greater than), eq (equal to), or neq (not equal to). The port number
referenced can be either the source port or the destination port, depending on where in the ACL the port number is
configured. As an alternative to the port number, well-known application names can be used, such as Telnet,
FTP, and SMTP.
For inbound TCP only. Allows TCP traffic to pass if the packet is a response to an outbound-initiated session.
established
This type of traffic has the acknowledgement (ACK) bits set. (See the Extended ACL with the Established
Parameter example.)
log
Before we configure Extended Access list you should cram up some important port number
IP Protocol
20 (TCP)
FTP data
21 (TCP)
FTP control
23 (TCP)
Telnet
25 (TCP)
53 (TCP/UDP)
69 (UDP)
TFTP
80 (TCP)
HTTP
Easily create high-quality PDFs from your web pages - get a business license!
With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective you should be
able to do following:
Block host to host
Block host to network
Block Network to network
Block telnet access for critical resources of company
Limited ftp access for user
Stop exploring of private network form ping
Limited web access
Configure established keyword
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 101 deny ip host 10.0.0.3 40.0.0.3 0.0.0.0
R1(config)#access-list 101 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. It should be reqest time out. Also ping other computers of network including 40.0.0.2.
Easily create high-quality PDFs from your web pages - get a business license!
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it
should be successfully replay.
Now we will block the network of 10.0.0.0 from gaining access on the network 40.0.0.0. ( if you are doing this practical after
configuring pervious example don't forget to remove the last access list 101. With no access-list command. Or just close the packet
tracer without saving and reopen it to be continue with this example.)
Network to host
Task
For the final scenario you will block all traffic to 40.0.0.3 from the Network of 10.0.0.0 To accomplish this write an extended access
list. The access list should look something like the following.
In pervoius example we filter ip base traffic. Now we will filter applicaion base traffic. To do this practical either create a topology as
shown in figure and enable telnet and http and ftp service on server or download this pre configured topology and load it in packet
tracer.
Extended Access list
To test this access list double click on any pc from the network 10.0.0.0 and select web brower. Now give the ip of 30.0.0.2 web
server. It should get sucessfully access the web page. Now go 30.0.0.2 and open command prompt. And do ping to 10.0.0.2 or any
pc from the network the 10.0.0.0. it will request time out.
Written by Admin
< Prev
Comments
# Zachariah nuzuga
2014-09-06 17:10
2014-08-29 07:21
2014-08-11 23:31
2014-06-24 04:46
Easily create high-quality PDFs from your web pages - get a business license!
2014-06-13 13:22
-I have two ISP in my network and i want 11.0.0.1/24 block to access only email via ISP-1 and 192.168.0.1/24 block can
access the internet
via ISP-2. How can i configured this on cisco router
-Anyone have an idea please help-since i need to use both ISP's on my network.
Reply | Reply with quote | Quote
# anitha
2014-04-20 06:31
2014-04-12 17:55
2014-04-08 04:33
2014-03-27 07:58
Hello,
Many thanks for the content. I've learnt a lot. May God bless u
Reply | Reply with quote | Quote
# asa
2014-02-20 11:32
Thanks dude, your tutorials really work. I love you as i love packet tracer. Thanks a bunch again:))
Reply | Reply with quote | Quote
# asa
2014-02-20 11:30
Thanks dude, your tutorials really work!!!!!!!!! I love you as i love packet tracer:))
Reply | Reply with quote | Quote
# faizal
2014-02-19 11:44
# mmustafa
2014-01-21 12:51
2014-01-06 10:15
2013-12-29 15:37
Thanks a lot this was very helpful however blocking a number of hosts say (10.1.50.1 through 10.1.50.63) I have got a
problem with that.
Reply | Reply with quote | Quote
# Sikkander Basha
2013-11-11 06:14
2013-10-25 13:33
2013-10-11 21:59
The details description of every command is awesome. I really love the site and a big thank you to the developer,great work
well done.
Reply | Reply with quote | Quote
# Tanzeem Akhtar
2013-10-11 07:35
2013-10-09 02:02
2013-10-09 02:01
Thank you, this was very helpful, detailed explanation. Well done
Reply | Reply with quote | Quote
# PRATIK Y SADHU
2013-10-08 08:32
Easily create high-quality PDFs from your web pages - get a business license!
your word to word CLI explanations of CPT and diagrams helped me a lot. a billion thanks to you. awesome site for
networking students.
Reply | Reply with quote | Quote
# vali
2013-10-04 17:05
nicee make me feel familiar with packet tracer and acl's THNX
Reply | Reply with quote | Quote
# fiston
2013-09-16 09:23
2013-09-09 19:19
NICE WORK
THANKS DEAR
Reply | Reply with quote | Quote
# sumit
2013-08-17 17:49
2013-08-16 05:11
2013-08-14 15:24
FOLLOW US
Easily create high-quality PDFs from your web pages - get a business license!
CONTACT US
On Google plus
On Twitter
435
Follow
Follow
Like us on Facebook
Find us on Facebook
ComputerNetworkingNotes.com
Like
6,797 people like ComputerNetworkingNotes.com.
Write for us
We are always on the lookout for new talent and ideas. We provide you a
platform to share your ideas and knowledge with the world while developing a
name for yourself as an expert in your field. We encourage you to learn more
and submit a article!
Advertise With us
Reach millions of global audience including network administrator and system
admin. Advertising on ComputerNetworkingNotes.com will allow your company
to tap into one of the largest online communities of computer networking.
Report an issue
We greatly appreciate our visitors helping us to find issues with the site. we
will investigate your report and use the information you provide to improve our
site.
Other reason
We love to hear from you! Regardless of the type of feedback, we are always
ready to assist you.
Easily create high-quality PDFs from your web pages - get a business license!
Advertise with us Write for us Contact Us Privacy Policy Terms and conditions